Hands-On DEFCON 22 Badge

It took a measly 2-hours in line to score myself entry to DEFCON and this nifty badge. I spent the rest of the afternoon running into people, and I took in the RFIDler talk. But now I’m back in my room with a USB cord to see what might be done with this badge.

First the hardware; I need a magnifying glass but I’ll tell you what I can. Tere are huge images available after the break.

Parallax P8X32A-Q44

Crystal marked A050D4C

Looks like an EEPROM to the upper right of the processor? (412W8 K411)

Something interesting to the left. It’s a 4-pin package with a shiny black top that has a slightly smaller iridesent square to it. Light sensor?

Tiny dfn8 package next to that has numbers (3336 412)

Bottom left there is an FTDI chip (can’t read numbers)

The DEFCON letters are capacitive touch. They affect the four LEDs above the central letters.

I fired up minicom and played around with the settings. When I hit on 57600 8N1 I get “COME AND PLAY A GAME WITH ME”.

Not sure where I’m going from here. I don’t have a programmer with me so not sure how I can make a firmware dump. If you have suggestions please let me know in the comments!

FTDI chips allow you to repurpose the other lines (RTS, CTS, etc) as GPIO pins. You can reconfigure them with a special utility that writes to the EEPROM in the chip. You should probably read the EEPROM first before writing though…maybe there’s another clue in it.

From the looks of the image they didn’t save money by going with the FT230X…they went with more pins for a reason I’m guessing. If you have a multimeter and patience, you could determine if any connections other than RX and TX and GND connect between the FTDI and the processor.

Touch Letters and get messages:
O: WHERE TO BEGIN I KNOW FIND HAROLD^M (LEDs scan back and forth)
E: ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK^M (LEDs split in half, scanning opposite of each other)
E-O Together: WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE (lights go off)
F-C Together: TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER^M^C (four center lights blink quickly and outer two on either side blink alternating)
F-O Together: DEFCON DOT ORG SLASH ONE ZERO FIVE SEVEN SLASH I WONDER WHAT GOES HERE^M (alternating chase pattern)

Ah, actually I couldn’t see before b/c of the white. You can make out some of those pins, where they lead. Can’t help w/ the programmers though, haven’t worked w/ those chips much… USB access could be fruitful though, if it has like some sort of SWD thru USB.

WHERE TO BEGIN I KNOW FIND HAROLD
WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE
TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER
ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK

If its wired up like normal, the DTR line from the FTDI is used as reset. The prop bootloader will very briefly accept a binary uploaded via serial, and then give up and load the eeprom contents. There are eeprom dumpers out there for the prop which you just load into ram and run.

“TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER”

Perhaps coincidentally, if you start with ‘657’, there are two phone numbers in 0x6576666577468583, albeit slightly overlapped, 657 area code is from LA. No, I wouldn’t go calling them, but perhaps by some stretch of the imagination, one is part of the answer to this question?

If you touch the ‘E’ and the ‘O’ together, the LEDs go out, and you get “WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE” on the serial port. It’s another quote from They Live, which was quoting Robert Frost. Frost was responding to a statement by president Eisenhower in 1949 that, “The path to America’s future lies down the middle of the road between the unfettered power of concentrated wealth and the unbridled power of statism or partisan interests.”

I’m not entirely sure how I did it – I was swiping my finger back and forth across the letters – but I got this: “TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER”

I realize that the source code to the badge was posted, but I haven’t opened the archive – so I can’t comment on what the code actually does. Maybe it is perfectly innocuous…but are you sure it is? Also – is the source code posted the same (compiles to) as the firmware on the badge?

I don’t know about others, but I would be rather wary about taking an unknown (especially if you didn’t know about the source code up front) device, obtained from one of the largest hacker conferences in the world, and just plugging it into a USB port on a personal machine (unless that machine was specifically meant for such “testing”).

It’s just a good practice to not take any electronics you care about to any hacker conference.
The organizers have a vested interest in keeping the con’s going every year so official contests aren’t likely to be malicious.
Who knows about attendees though

Unless the schematics are lying, there’s no reason to believe that there’s any mystery around the FTDI chip. It’s simply used as a USB to serial converter, that’s all.

The 32-pin headers on the left and right, and the two 8-pin headers near the top are very likely to be based on the Propeller Platform. Jon McPhalen (j0hnnym@c) is the author of the software, and he developed that platform a couple of years ago. The two 8-pin headers are for connecting power to other boards (on a real Prop Platform board they would be in line with the 32-pin headers), and the two 32-pin headers carry the P0 to P15 pins (on the left, top down), and the P16-P31 pins (on the right, bottom-up). Each Propeller pin is connected to two header pins. The square solder islands on the headers are probably hints to the “mystery” but are probably not electrically important. The headers should make it possible to re-use the hardware for other purposes.

P0 to P3 are set up as touch buttons and from the other responses in this thread I’m seeing that they are connected to the E F C O letters in DEFCON. I can’t see from the pictures in which order they’re connected. It looks like there are 5 touch patterns that the program recognizes: 0001, 0101, 0111, 1000 and 1001. Each touch pattern starts a different sequence on the LEDs, and generates a different message on the terminal.

Extracting the EEPROM content and running “strings” is not going to help you. But a look at the source code shows that it uses Caesar cyphers where each letter in the alphabet is replaced by another letter that’s n places higher or lower in the alphabet, where n is constant for the entire message.

It also uses One-Time-Pad encryption, where each letter is replaced by a different letter based on the encryption key where an A in the encryption key means no change, B means shift one letter etc (e,g, A+B=B, K+C=M etc).

The source code has some encrypted strings, which are decrypted as they’re sent to the serial port. There are also some unused messages in encrypted and clear-text format. The IR transmitter and receiver don’t appear to be used in the published source code; perhaps what’s on the badge when you get it is different from what they put online, or you need to get a different badge (the source file is called “dc22_badge_human.spin”) with so-far unpublished software to get more functionality.

The EEPROM is 64K but the Prop only uses 32K to run the software; there’s code on-board to access the rest of the EEPROM but it’s apparently not in use in the published source.

What do you make of the different lanyard types (diskette, rotary, defcon logo, keyhole, etc. They each have special characters on the neck which look like they could be possibly used to configure the board for different purposes.